qontract-reconcile 0.10.1rc701__py3-none-any.whl → 0.10.1rc703__py3-none-any.whl

{qontract_reconcile-0.10.1rc701.dist-info → qontract_reconcile-0.10.1rc703.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc701
+Version: 0.10.1rc703
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc701.dist-info → qontract_reconcile-0.10.1rc703.dist-info}/RECORD

@@ -9,7 +9,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=Xj_msd-518yR9r1hy39FI3Q9gBRZQsfM9HRA-Ep6CKY,93661
+reconcile/cli.py,sha256=deAj6fNIYnrEKgOKv2UYZKAvuvEmYVUWj4nDSG6y99U,96070
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -135,6 +135,11 @@ reconcile/aus/version_gates/handler.py,sha256=S_isQPYHbG4DERiUEvQBZ6ngiFX3uMmATA
 reconcile/aus/version_gates/ingress_gate_handler.py,sha256=ZCtyggBzzcb0prtdbMpJsVkj5leYN-vS7srM9vbq9xo,1096
 reconcile/aus/version_gates/ocp_gate_handler.py,sha256=RW1ppDaCZXVegV9AzzqYXxDUu_Z_7d43Z5h2Pk_piKc,716
 reconcile/aus/version_gates/sts_version_gate_handler.py,sha256=PhJ7yBh2q-rv9CJcfFhc0H11nyDyG7NAryNS3F74xdY,3697
+reconcile/aws_account_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/aws_account_manager/integration.py,sha256=TLlhxnHXRCVz2GYJQei-dBdSpeLseEkoVUwHhgi41fk,13804
+reconcile/aws_account_manager/merge_request_manager.py,sha256=zZct3NxWMBQupl4QfD7ULxnt4ipt_2FBoH_NusboIuw,3781
+reconcile/aws_account_manager/reconciler.py,sha256=AqAA3TIEfuYzIogHSBgwYTebxbTy1D6JhcxdLiOfCsc,13588
+reconcile/aws_account_manager/utils.py,sha256=K4rAjEMK-eQ_Sv4lOf6dPynQy97xZ4h-n6cJn5Z6zVw,1248
 reconcile/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_ami_cleanup/integration.py,sha256=IW95cpMj2P5ffs-AxsR_TDQCJnYFBhLIfP2de7dz_8A,10109
 reconcile/aws_cloudwatch_log_retention/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -185,6 +190,8 @@ reconcile/gql_definitions/advanced_upgrade_service/aus_clusters.py,sha256=zrZCHa
 reconcile/gql_definitions/advanced_upgrade_service/aus_organization.py,sha256=uFx75cLe1a4xyArr6ekoAUbrzSRnhR7S2vaR3G5Fzbw,3299
 reconcile/gql_definitions/app_interface_metrics_exporter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/app_interface_metrics_exporter/onboarding_status.py,sha256=uVEEqU6YYmKsNTo6EWlFnoVmqha2rvBDx-wiD64VmG0,1679
+reconcile/gql_definitions/aws_account_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/aws_account_manager/aws_accounts.py,sha256=c3RmQwbHa9UlfGwruufkA8PUfeiRJZ-lXEDInAREZqE,4405
 reconcile/gql_definitions/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/aws_ami_cleanup/asg_namespaces.py,sha256=OJmeTu7uirLGAysZ3IQTtRXqMyL8noi_QZxPuWYxxmI,3678
 reconcile/gql_definitions/aws_saml_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -240,6 +247,7 @@ reconcile/gql_definitions/dynatrace_token_provider/dynatrace_bootstrap_tokens.py
 reconcile/gql_definitions/fragments/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/fragments/aus_organization.py,sha256=ARI87YAbC0VjFri9eVGYrRPBc4s0kWsa25RR8FFoq7E,4433
 reconcile/gql_definitions/fragments/aws_account_common.py,sha256=d_FwpS_dY8o8DCLa3NERs93FVxQLiDUIPm5tGNac-iw,2320
+reconcile/gql_definitions/fragments/aws_account_managed.py,sha256=zXbux0Bb7QZ37fU4LLMKB4m0rT3Y8bD10C1TuOsH_ZQ,1470
 reconcile/gql_definitions/fragments/aws_account_sso.py,sha256=ITR3PLz4Iq1SiWAoYGWPDuHJnAmTyZ0QQqs2Zsi8pxA,979
 reconcile/gql_definitions/fragments/aws_infra_management_account.py,sha256=uAmALVRF2gBM3p_Dmez_ew6KVAtetamwOPkRIPZAlGc,1254
 reconcile/gql_definitions/fragments/aws_vpc.py,sha256=T2egTwi2Rb0IRBBmsyag8xKpu_m6GbIAy80fhZNZwk8,1434
@@ -347,7 +355,7 @@ reconcile/ldap_groups/integration.py,sha256=iVfR7bRz8up_bf5Q4aVZHuVoUT6U_aHHkcgY
 reconcile/ocm/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/ocm/types.py,sha256=ibJYvzfAZyyMFkcF1bP8u3rkXciYJRplt_7Z1pKHFh0,2484
 reconcile/ocm_internal_notifications/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/ocm_internal_notifications/integration.py,sha256=6JFLu6TlcMC1OB5WgTAd-ITlhH_56W5uBytggukNk3A,4391
+reconcile/ocm_internal_notifications/integration.py,sha256=Gw2oB1Oe1Vvbj-fN_undhkQ2y5tCVhUfW5DenKu9ybM,4395
 reconcile/ocm_labels/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/ocm_labels/integration.py,sha256=SqIgCYhlHEeoH2YXJ8kWIxCo9S3fzzAlZGxt9KCnJ1s,14792
 reconcile/ocm_labels/label_sources.py,sha256=z5Rg5uMTfRkTi3QbEQK1P82LLciWrSnp65XBEpZf2-o,1877
@@ -623,7 +631,7 @@ reconcile/utils/sharding.py,sha256=gkYf0lD3IUKQPEmdRJZ70mdDT1c9qWjbdP7evRsUis4,8
 reconcile/utils/slack_api.py,sha256=OPmzU6L9rJx2XXDlZkMlxLjOWu17yC-fVCoUItzQrXw,16295
 reconcile/utils/smtp_client.py,sha256=gJNbBQJpAt5PX4t_TaeNHsXM8vt50bFgndml6yK2b5o,2800
 reconcile/utils/sqs_gateway.py,sha256=gFl9DM4DmGnptuxTOe4lS3YTyE80eSAvK42ljS8h4dA,2287
-reconcile/utils/state.py,sha256=zjsprjbOb0WddzmAvh8ACqAt0fcayrX2YPfz7qceRWw,16090
+reconcile/utils/state.py,sha256=FK8NLT1xyumuXpYRm0Nk6pWpOE_U6-NovGn6zKCw8vw,16298
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=mZEKpu6nbfiQd60wRkc8-5sljBTUTOgaAKnF89itMzU,32085
@@ -639,10 +647,12 @@ reconcile/utils/acs/base.py,sha256=Qih-xZ3RBJZEE291iHHlv7lUY6ShcAvSj1PA3_aTTnM,2
 reconcile/utils/acs/policies.py,sha256=_jAz6cv8KRYtDsXjGoJgNbD8_9PUa5LSwwVlpK4A_cQ,5505
 reconcile/utils/acs/rbac.py,sha256=ugsLM9Pb7FbUbdq85E3VzXGMaB9ZovXob7tdWCxwqZ8,8808
 reconcile/utils/aws_api_typed/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/utils/aws_api_typed/api.py,sha256=ICBrpoZ1Y8ShMaNOQmzPzChmw-Ffdg0tCsu97fVwZ-w,6374
-reconcile/utils/aws_api_typed/iam.py,sha256=wH82lA2kUgEKR5McmyU5gB8ASfemT5xAk3Bb9cairVo,1508
-reconcile/utils/aws_api_typed/organization.py,sha256=dJ7J02BNHu7UDyFa9083b92vSamIX8DtHIoF8VwEijY,3675
+reconcile/utils/aws_api_typed/api.py,sha256=gqfZISSQLp6tHEAwEsroLWwyU4ZdbwHi9p0rNBQyLuI,7901
+reconcile/utils/aws_api_typed/iam.py,sha256=ka46H2-SzTCgy6EJYapKTzyZK9vR1bkfD0wF8bDdy1Q,2201
+reconcile/utils/aws_api_typed/organization.py,sha256=oXftcLVuSs9qej6efdssl38FvjeZaQC5R2Wj3NzxX4U,5529
+reconcile/utils/aws_api_typed/service_quotas.py,sha256=OU1D8LCmMw1IT87nt45LqXhguzcWwC8AaBdDTI7tz98,3018
 reconcile/utils/aws_api_typed/sts.py,sha256=5Sauncj9Fif3YDLkJYkBZrtOX0v0bGAqOmY0A5Bh9yA,1237
+reconcile/utils/aws_api_typed/support.py,sha256=PH3UW96Ne4_8I1J-_Vqj-DsK73gYGeVdOH13eD1783c,2447
 reconcile/utils/cloud_resource_best_practice/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/utils/cloud_resource_best_practice/aws_rds.py,sha256=EvE6XKLsrZ531MJptKqPht2lOETrOjySTHXk6CzMgo0,2279
 reconcile/utils/clusterhealth/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -743,8 +753,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=UEwAW7PA_GIrbqzaLxpkCxbuVjEFLNvnVG-6VyoCGIc,4147
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc701.dist-info/METADATA,sha256=w6ee8LZoHXwgtGVu5XQXmwdQXUO1KINVucxNqyRJEKc,2382
-qontract_reconcile-0.10.1rc701.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc701.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
-qontract_reconcile-0.10.1rc701.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc701.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc703.dist-info/METADATA,sha256=yoAayu5zHJZhZK0IqR21e6WKXEMXcnLSXPoQ9gd52a8,2382
+qontract_reconcile-0.10.1rc703.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc703.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
+qontract_reconcile-0.10.1rc703.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc703.dist-info/RECORD,,

reconcile/aws_account_manager/integration.py

@@ -0,0 +1,342 @@
+from collections.abc import Callable, Iterable
+from datetime import datetime, timezone
+from typing import Any
+
+import jinja2
+
+from reconcile.aws_account_manager.merge_request_manager import MergeRequestManager
+from reconcile.aws_account_manager.reconciler import AWSReconciler
+from reconcile.aws_account_manager.utils import validate
+from reconcile.gql_definitions.aws_account_manager.aws_accounts import (
+    AWSAccountManaged,
+    AWSAccountRequestV1,
+    AWSAccountV1,
+)
+from reconcile.gql_definitions.aws_account_manager.aws_accounts import (
+    query as aws_accounts_query,
+)
+from reconcile.typed_queries.app_interface_repo_url import get_app_interface_repo_url
+from reconcile.typed_queries.github_orgs import get_github_orgs
+from reconcile.typed_queries.gitlab_instances import get_gitlab_instances
+from reconcile.utils import gql
+from reconcile.utils.aws_api_typed.api import AWSApi, AWSStaticCredentials
+from reconcile.utils.aws_api_typed.iam import AWSAccessKey
+from reconcile.utils.defer import defer
+from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.runtime.integration import (
+    PydanticRunParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.semver_helper import make_semver
+from reconcile.utils.state import init_state
+from reconcile.utils.unleash import get_feature_toggle_state
+from reconcile.utils.vcs import VCS
+
+QONTRACT_INTEGRATION = "aws-account-manager"
+QONTRACT_INTEGRATION_VERSION = make_semver(1, 0, 0)
+
+
+class AwsAccountMgmtIntegrationParams(PydanticRunParams):
+    account_name: str | None
+    flavor: str
+    organization_account_role: str = "OrganizationAccountAccessRole"
+    default_tags: dict[str, str] = {}
+    initial_user_name: str = "terraform"
+    initial_user_policy_arn: str = "arn:aws:iam::aws:policy/AdministratorAccess"
+    initial_user_secret_vault_path: str = (
+        "app-sre/creds/terraform/{account_name}/config"
+    )
+    account_tmpl_resource: str = "/aws-account-manager/account-tmpl.yml"
+    template_collection_root_path: str = "data/templating/collections/aws-account"
+
+
+class AwsAccountMgmtIntegration(
+    QontractReconcileIntegration[AwsAccountMgmtIntegrationParams]
+):
+    """Create and manage AWS accounts."""
+
+    @property
+    def name(self) -> str:
+        return QONTRACT_INTEGRATION
+
+    def get_early_exit_desired_state(
+        self, query_func: Callable | None = None
+    ) -> dict[str, Any]:
+        """Return the desired state for early exit."""
+        if not query_func:
+            query_func = gql.get_api().query
+        payer_accounts, non_organization_accounts = self.get_aws_accounts(
+            query_func, account_name=self.params.account_name
+        )
+        return {
+            "payer_accounts": [account.dict() for account in payer_accounts],
+            "non_organization_accounts": [
+                account.dict() for account in non_organization_accounts
+            ],
+        }
+
+    @staticmethod
+    def render_account_tmpl_file(
+        template: str, account_request: AWSAccountRequestV1, uid: str, settings: dict
+    ) -> str:
+        for k, v in settings.items():
+            if not isinstance(v, str):
+                continue
+            # render string templates with account name
+            settings[k] = v.format(account_name=account_request.name)
+        tmpl = jinja2.Template(
+            template,
+            undefined=jinja2.StrictUndefined,
+            trim_blocks=True,
+            lstrip_blocks=True,
+            keep_trailing_newline=True,
+        ).render({
+            "accountRequest": account_request.dict(by_alias=True),
+            "uid": uid,
+            "settings": settings,
+            "timestamp": int(datetime.now(tz=timezone.utc).timestamp()),
+        })
+        return tmpl
+
+    def get_aws_accounts(
+        self, query_func: Callable, account_name: str | None = None
+    ) -> tuple[list[AWSAccountV1], list[AWSAccountV1]]:
+        """Get all AWS payer and non-organization accounts."""
+        data = aws_accounts_query(query_func)
+
+        all_aws_accounts = [
+            account
+            for account in data.accounts or []
+            if integration_is_enabled(self.name, account)
+            and (not account_name or account.name == account_name)
+        ]
+        for account in all_aws_accounts:
+            validate(account)
+
+        payer_accounts = [
+            account
+            for account in all_aws_accounts
+            if account.organization_accounts or account.account_requests
+        ]
+        all_organization_account_names = {
+            org_account.name
+            for payer_account in payer_accounts
+            for org_account in payer_account.organization_accounts or []
+        }
+
+        non_organization_accounts = [
+            account
+            for account in all_aws_accounts
+            if account.name not in all_organization_account_names
+        ]
+        return payer_accounts, non_organization_accounts
+
+    def save_access_key(self, account: str, access_key: AWSAccessKey) -> None:
+        """Write the AWS secret to Vault."""
+        self.secret_reader.vault_client.write(  # type: ignore[attr-defined] # mypy doesn't recognize the VaultClient.__new__ method
+            secret={
+                "data": {
+                    "aws_access_key_id": access_key.access_key_id,
+                    "aws_secret_access_key": access_key.secret_access_key,
+                },
+                "path": self.params.initial_user_secret_vault_path.format(
+                    account_name=account
+                ).strip("/"),
+            },
+            decode_base64=False,
+        )
+
+    def create_accounts(
+        self,
+        aws_api: AWSApi,
+        reconciler: AWSReconciler,
+        merge_request_manager: MergeRequestManager,
+        account_template: str,
+        account_requests: Iterable[AWSAccountRequestV1],
+    ) -> None:
+        """Create new AWS accounts."""
+        for account_request in account_requests:
+            if not (
+                uid := reconciler.create_organization_account(
+                    aws_api=aws_api,
+                    name=account_request.name,
+                    email=account_request.account_owner.email,
+                )
+            ):
+                continue
+
+            with aws_api.assume_role(
+                account_id=uid, role=self.params.organization_account_role
+            ) as account_role_api:
+                if access_key := reconciler.create_iam_user(
+                    aws_api=account_role_api,
+                    name=account_request.name,
+                    user_name=self.params.initial_user_name,
+                    user_policy_arn=self.params.initial_user_policy_arn,
+                ):
+                    self.save_access_key(account_request.name, access_key)
+
+            merge_request_manager.create_account_file(
+                title=f"{account_request.name}: AWS account template collection file",
+                account_tmpl_file_path=f"{self.params.template_collection_root_path}/{account_request.name}.yml",
+                account_tmpl_file_content=self.render_account_tmpl_file(
+                    template=account_template,
+                    account_request=account_request,
+                    uid=uid,
+                    settings=self.params.dict(),
+                ),
+                account_request_file_path=f"data/{account_request.path.strip('/')}",
+            )
+
+    def reconcile_organization_accounts(
+        self,
+        aws_api: AWSApi,
+        reconciler: AWSReconciler,
+        organization_accounts: Iterable[AWSAccountManaged],
+    ) -> None:
+        """Reconcile organization accounts."""
+        for account in organization_accounts:
+            assert account.organization  # mypy
+            reconciler.reconcile_organization_account(
+                aws_api=aws_api,
+                name=account.name,
+                uid=account.uid,
+                ou=account.organization.ou,
+                tags=self.params.default_tags
+                | account.organization.tags
+                | {"app-interface-name": account.name},
+                enterprise_support=account.premium_support,
+            )
+
+            with aws_api.assume_role(
+                account_id=account.uid, role=self.params.organization_account_role
+            ) as account_role_api:
+                self.reconcile_account(account_role_api, reconciler, account)
+
+    def reconcile_account(
+        self,
+        aws_api: AWSApi,
+        reconciler: AWSReconciler,
+        account: AWSAccountManaged,
+        create_initial_user: bool = True,
+    ) -> None:
+        """Reconcile an AWS account."""
+        reconciler.reconcile_account(
+            aws_api=aws_api,
+            name=account.name,
+            alias=account.alias,
+            quotas=[q for ql in account.quota_limits or [] for q in ql.quotas],
+        )
+
+    def reconcile_payer_accounts(
+        self,
+        reconciler: AWSReconciler,
+        merge_request_manager: MergeRequestManager,
+        default_state_path: str,
+        account_template: str,
+        payer_accounts: Iterable[AWSAccountV1],
+    ) -> None:
+        """Reconcile all payer accounts including account creation."""
+        # reconcile accounts within payer accounts, aka organization accounts
+        for payer_account in payer_accounts:
+            # having a state per flavor and payer account makes it easier in a shared environment
+            reconciler.state.state_path = default_state_path
+            reconciler.state.state_path += f"/{payer_account.name}"
+            aws_account_manager_role = (
+                payer_account.automation_role.aws_account_manager
+                if payer_account.automation_role
+                else None
+            )
+            if not aws_account_manager_role:
+                raise ValueError(
+                    f"awsAccountManager role is not defined for account {payer_account.name}"
+                )
+
+            secret = self.secret_reader.read_all_secret(payer_account.automation_token)
+            with AWSApi(
+                AWSStaticCredentials(
+                    access_key_id=secret["aws_access_key_id"],
+                    secret_access_key=secret["aws_secret_access_key"],
+                    region=payer_account.resources_default_region,
+                )
+            ) as payer_account_aws_api:
+                with payer_account_aws_api.assume_role(
+                    account_id=payer_account.uid,
+                    role=aws_account_manager_role,
+                ) as acct_manager_role_aws_api:
+                    self.create_accounts(
+                        acct_manager_role_aws_api,
+                        reconciler,
+                        merge_request_manager,
+                        account_template,
+                        payer_account.account_requests or [],
+                    )
+                    self.reconcile_organization_accounts(
+                        acct_manager_role_aws_api,
+                        reconciler,
+                        payer_account.organization_accounts or [],
+                    )
+
+    def reconcile_non_organization_accounts(
+        self,
+        reconciler: AWSReconciler,
+        default_state_path: str,
+        non_organization_accounts: Iterable[AWSAccountV1],
+    ) -> None:
+        """Reconcile accounts not part of an organization via a payer account (e.g. payer accounts themselves)"""
+        for account in non_organization_accounts:
+            reconciler.state.state_path = default_state_path
+            reconciler.state.state_path += f"/{account.name}"
+            secret = self.secret_reader.read_all_secret(account.automation_token)
+            with AWSApi(
+                AWSStaticCredentials(
+                    access_key_id=secret["aws_access_key_id"],
+                    secret_access_key=secret["aws_secret_access_key"],
+                    region=account.resources_default_region,
+                )
+            ) as account_aws_api:
+                self.reconcile_account(account_aws_api, reconciler, account)
+
+    @defer
+    def run(self, dry_run: bool, defer: Callable | None = None) -> None:
+        """Run the integration."""
+        gql_api = gql.get_api()
+        payer_accounts, non_organization_accounts = self.get_aws_accounts(
+            gql_api.query, account_name=self.params.account_name
+        )
+        state = init_state(self.name, self.secret_reader)
+        default_state_path = f"state/{self.name}/{self.params.flavor}"
+        reconciler = AWSReconciler(state, dry_run)
+        vcs = VCS(
+            secret_reader=self.secret_reader,
+            github_orgs=get_github_orgs(),
+            gitlab_instances=get_gitlab_instances(),
+            app_interface_repo_url=get_app_interface_repo_url(),
+            dry_run=dry_run,
+            allow_deleting_mrs=False,
+            allow_opening_mrs=True,
+        )
+        if defer:
+            defer(vcs.cleanup)
+        merge_request_manager = MergeRequestManager(
+            vcs=vcs,
+            auto_merge_enabled=get_feature_toggle_state(
+                integration_name=f"{self.name}-allow-auto-merge-mrs", default=False
+            ),
+        )
+        merge_request_manager.fetch_open_merge_requests()
+        account_template = gql_api.get_resource(path=self.params.account_tmpl_resource)[
+            "content"
+        ]
+        self.reconcile_payer_accounts(
+            reconciler=reconciler,
+            merge_request_manager=merge_request_manager,
+            default_state_path=default_state_path,
+            account_template=account_template,
+            payer_accounts=payer_accounts,
+        )
+        self.reconcile_non_organization_accounts(
+            reconciler=reconciler,
+            default_state_path=default_state_path,
+            non_organization_accounts=non_organization_accounts,
+        )

reconcile/aws_account_manager/merge_request_manager.py

@@ -0,0 +1,111 @@
+import logging
+
+from gitlab.exceptions import GitlabGetError
+from gitlab.v4.objects import ProjectMergeRequest
+
+from reconcile.utils.gitlab_api import GitLabApi
+from reconcile.utils.mr.base import MergeRequestBase
+from reconcile.utils.mr.labels import AUTO_MERGE
+from reconcile.utils.vcs import VCS
+
+AWS_MGR = "aws-account-manager"
+
+
+class AwsAccountMR(MergeRequestBase):
+    name = "AwsAccount"
+
+    def __init__(
+        self,
+        title: str,
+        description: str,
+        account_tmpl_file_path: str,
+        account_tmpl_file_content: str,
+        account_request_file_path: str,
+        labels: list[str],
+    ):
+        super().__init__()
+        self._title = title
+        self._description = description
+        self._account_tmpl_file_path = account_tmpl_file_path.lstrip("/")
+        self._account_tmpl_file_content = account_tmpl_file_content
+        self._account_request_file_path = account_request_file_path.lstrip("/")
+        self.labels = labels
+
+    @property
+    def title(self) -> str:
+        return self._title
+
+    @property
+    def description(self) -> str:
+        return self._description
+
+    def process(self, gitlab_cli: GitLabApi) -> None:
+        gitlab_cli.create_file(
+            branch_name=self.branch,
+            file_path=self._account_tmpl_file_path,
+            commit_message="add account template file",
+            content=self._account_tmpl_file_content,
+        )
+        gitlab_cli.delete_file(
+            branch_name=self.branch,
+            file_path=self._account_request_file_path,
+            commit_message="delete account request file",
+        )
+
+
+class MergeRequestManager:
+    """Manager for AWS account merge requests."""
+
+    def __init__(self, vcs: VCS, auto_merge_enabled: bool):
+        self._open_mrs: list[ProjectMergeRequest] = []
+        self._vcs = vcs
+        self._auto_merge_enabled = auto_merge_enabled
+
+    def _merge_request_already_exists(self, aws_acccount_file_path: str) -> bool:
+        return any(
+            aws_acccount_file_path == diff["new_path"]
+            for mr in self._open_mrs
+            for diff in mr.changes()["changes"]
+        )
+
+    def fetch_open_merge_requests(self) -> None:
+        all_open_mrs = self._vcs.get_open_app_interface_merge_requests()
+        self._open_mrs = [mr for mr in all_open_mrs if AWS_MGR in mr.labels]
+
+    def create_account_file(
+        self,
+        title: str,
+        account_tmpl_file_path: str,
+        account_tmpl_file_content: str,
+        account_request_file_path: str,
+    ) -> None:
+        """Open new MR (if not already present) for an AWS account and remove the account request file."""
+        if self._merge_request_already_exists(account_tmpl_file_path):
+            return None
+
+        try:
+            self._vcs.get_file_content_from_app_interface_master(
+                file_path=account_tmpl_file_path
+            )
+            # File already exists
+            raise FileExistsError(
+                f"File {account_tmpl_file_path} already exists in the repository"
+            )
+        except GitlabGetError as e:
+            if e.response_code != 404:
+                raise e
+
+        logging.info("Open MR for %s", account_tmpl_file_path)
+        mr_labels = [AWS_MGR]
+        if self._auto_merge_enabled:
+            mr_labels.append(AUTO_MERGE)
+        self._vcs.open_app_interface_merge_request(
+            mr=AwsAccountMR(
+                title=title,
+                description=f"New AWS account template collection file {account_tmpl_file_path}",
+                account_tmpl_file_path=account_tmpl_file_path,
+                account_tmpl_file_content=account_tmpl_file_content,
+                account_request_file_path=account_request_file_path,
+                labels=mr_labels,
+            )
+        )